Overview
- Blockaid detected an active exploit and reported about $6 million drained from three Summer.fi contracts, publishing the affected contract addresses, an exploiter wallet and a sample transaction to help tracing.
- Researchers from CertiK and Cyvers said the attacker used a roughly $64–65 million flash loan to manipulate vault share-accounting tied to FleetCommander and redeem excess value within a single transaction.
- On-chain analysis shows the stolen assets were swapped into DAI and moved to the attacker-controlled address 0x7BF716167B48CF527725722C6d79494b45B3BDCa, leaving recovery prospects uncertain.
- Summer.fi had not issued a full technical post-mortem when security firms published their findings, so the precise code-level root cause and remediation steps remain unconfirmed.
- The incident, reported Monday, highlights the compounded risk of automated multi-protocol vaults where routing funds across lending and liquidity stacks widens the attack surface and can expose users to large single-transaction exploits.